Support in AWS indexer for assuming a specified role

vaterlaus commented 5 months ago

This is at least the first pass at supporting assumed roles in the AWS indexer. I wasn't exactly sure what the target use case is, so I'm not 100% sure that this will handle everything that's required. @jon-funk Please let me know if this isn't what you need or if it's not working for you. I think this does functionally the exact same thing as the shell script snippet that you sent me.

I've only done some basic testing in a simple setup with a single user/role accessing an EC2 instance, but I did verify that it was hitting the code that makes the call to assume the role and substitute the credentials for the assumed role to use when it invokes CloudQuery.

Details from the commit message:

the role is specified with a field named "awsRoleArn" in the "aws" block of the "cloudConfig" block in the workspace info. The value is the ARN of the role to assume.
it's assumed that the identity associated with the access key that's specified in the AWS conifg has permission to assume the specified role.

stewartshea commented 5 months ago

@jon-funk do you have the ability / resources to test this out?

I think down the road I'd like an option to move this all out to a specific secret that can just be mounted in kube and referenced in the helm chart, but we can leave that for a separate issue.

jon-funk commented 5 months ago

Yup I can have a look. It'll probably be on Friday though with the rest of the stuff I have to finish up.

jon-funk commented 5 months ago

Looks to be working! Here's what I did to test:

First confirm the current authenticated user does not have access to the resources to index on when using regular auth:


jon-funk@Atlas:~/projects/rw-cli-codecollection/codebundles/aws-eks-health$ aws eks list-clusters --region $AWS_REGION

An error occurred (AccessDeniedException) when calling the ListClusters operation: User: arn:aws:iam::141963645784:user/no-perm-sa is not authorized to perform: eks:ListClusters on resource: arn:aws:eks:us-west-1:141963645784:cluster/*


- Now I call the script in a AWS codebundle, which has a prehook call to `auth.sh` that does the assume role behaviour implicitly

jon-funk@Atlas:~/projects/rw-cli-codecollection/codebundles/aws-eks-health$ ./check_eks_cluster_health.sh

Checking EKS Fargate Clusters: lab0

Checking Cluster: lab0

- With authentication setup I added the AWS creds to the `cloudConfig` and rendered some SLXs with AWS codebundles
![image](https://github.com/runwhen-contrib/runwhen-local/assets/28266570/9cc8e5ff-efd6-417b-b8e0-57537318539f)

jon-funk@Atlas:~/projects/runwhen-local/src$ docker kill RunWhenLocal; docker rm RunWhenLocal; docker build -t runwhen-local:test -f Dockerfile . && docker run --name RunWhenLocal -p 8099:8099 -v $workdir/shared:/shared -d runwhen-local:test && docker exec -w /workspace-builder -- RunWhenLocal ./run.sh



TODO note for myself on the codecollection side: passthrough the optional role ARN to tasks as a optional secret in the AWS codebundles. Task code already supports it I just need to add them to the robot layer.

runwhen-contrib / runwhen-local